| gabriel rosenkoetter on Fri, 14 Jun 2002 23:20:16 +0200 |
|
On Fri, Jun 14, 2002 at 04:59:46PM -0500, Sean Finney wrote:
> someone correct me if I'm wrong, but I think there might be some security
> implications of using system(3).
Well, provided that the string you pass to system(3) isn't
user-supplied, the only real problem is that you're presuming that the
binary you call is the right thing. You can give system(3) a full
path, but I can just chroot(8) before calling your binary, so that
saves you from broken PATHs but not from real exploits. (Ah. Yes,
you say all that below. Whoops.)
If there's something broken about your waitpid(2) implementation,
you'll probably get screwed, but you'd already be having all kinds
of trouble if that were the case.
> but I believe system passes the environment on to
> an equivalent of '/bin/sh -c command'.
True. Note that it passes the environment along too. So if that's
poisoned, you're not saving yourself from it by calling system.
> if this were to be done in a program
> that might later be made setuid/setgid root, a malicious user could
> do things like chrooting and re-arranging his/her path so that "cp"
> pointed to a script in his/her homedir that did something like 'dd
> if=/dev/random of=/dev/hd?'.
Um, but I could just as easily trick your program into doing the
same thing if you were trusting the environment. That's pilot error
on the part of the admin who added the suid/sgid bit. (Okay, so it's
*slightly* less easy, but I could still do it. Think LD_LIBRARY_PATH
and my own libc.)
Writing safe suid/sgid binaries is EXTREMELY difficult, and
something noone without a really good understanding of how the Unix
permissions structure works should consider attempting. (That is, I
wouldn't attempt it, because I don't think I'd get it right. And I'd
like to think I mostly get how Unix works.) Unfortunately, junior
admins who learn about the s{u,g}id bit are often like a someone
with only a hammer in their toolbox. (There's almost always a better
solution.)
--
gabriel rosenkoetter
gr@eclipsed.net
Attachment:
pgpBowdd0gDBr.pgp
|
|